The approaches described in this section could be pursued, but are not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated herein, the approaches described in this section are not prior art to the claims in this application and are not admitted to be prior art by inclusion in this section.
An address resolution protocol is used in a network to resolve associations between addresses of devices in a network. Historically, address resolution protocols have been used to resolve associations between Network Layer addresses and Data Link Layer addresses. For example, an address resolution protocol may be used to resolve an association between a given Internet Protocol (IP) address and a given Media Access Control (MAC) address. The IP address is a Network Layer address, while the MAC address is a Data Link Layer address.
One very popular address resolution protocol called Address Resolution Protocol (ARP) is defined in IETF Request for Comments (RFC) 826. Capitalization is used herein to distinguish the more specific ARP from the more general class of address resolution protocols of which ARP is a member. Another address resolution protocol is the IP Version 6 (IPv6) Neighbor Discovery Protocol.
In order to prevent a breach of network security that can result from misuse or abuse of an address resolution protocol, filters may be implemented. One such filter is an ARP filter. Upon receiving an ARP packet, which attempts to establish an association between an IP address and a MAC address that are included in the ARP packet, a network element (such as a switch or router) consults an ARP filter to determine if the association is permitted. If the association is permitted, then an ARP table, which is supposed to include only legitimate IP-MAC address bindings, is updated to include the permitted association. If the association is not permitted, then the ARP table is not updated.
While filters are effective in preventing some misuses or abuses of address resolution protocols, those seeking to implement filters have been required to generate and maintain the filters manually. As the number of network addresses in a network increases, manual maintenance of filters becomes less practical.
Furthermore, because some network addresses may be dynamically assigned and may change from time to time, filters that are not frequently updated may often contain outdated information that not only fails to prevent illegitimate address resolution, but also actively interferes with legitimate address resolution.
Based on the foregoing, there is a clear need for automatic filter generation and maintenance.